Re: [users@httpd] Performing Internal Certificate Checks

Thu, 25 Jun 2009 02:13:08 -0700 

Thanks for your reply!
The user list is stored in a text file.

Eldad

On Thu, Jun 25, 2009 at 12:08 PM, Sean Conner <s...@conman.org> wrote:

> It was thus said that the Great Eldad Chai once stated:
> > Hi,
> >
> > I am using Apache reverse proxy.
> >
> > I want to perform the following and wondering if it is possible:
> >
> > 1)      Extract a field (Subject Name) from a client certificate sent
> over
> > SSL and compare it to a local list I have
> >
> > 2)      Add parts of the certificate to headers or parameters in the HTTP
> > request to the backend server
>
>   1) How is the local list stored?  My current configuration on my secure
> server for client certificates looks like:
>
>  <Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
>    SSLRequireSSL
>    SSLRequire  %{SSL_CLIENT_S_DN_O}  eq "Conman Laboratories"  \
>            and %{SSL_CLIENT_S_DN_OU} eq "Clients"
>    SSLVerifyClient     require
>    SSLVerifyDepth      10
>  </Directory>
>
> Translated:  This directory requires a certificate with an organization of
> "Conman Laboratories", with a department of "Clients" can access,
> otherwise,
> fail the request.  I'm sure there are other methods, but I haven't
> investigated them.
>
>  2) I'm guessing something based on the following (I haven't played around
> much with web proxies, but this might get you on the right track):
>
>        RewriteEngine   On
>        RewriteBase     /wherever
>
>        RewriteRule     ^(.*)$
> proxyrequest?user=%{SSL:SSL_CLIENT_S_DN_CN}&group=%{SSL:SSL_CLIENT_S_DN_OU}
> [PL]
>
>  Basically, you can use any of the SSL environment variables [1] can be
> passed as part of a URI (CGI scripts will find them as environment
> variables).  Hope this points you in the right direction at least.
>
>  -spc
>
> [1]     A bunch are listed here:
>        http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>   "   from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Reply via email to